FAQ

What version of Aircrack-ng am I running ?

Run 'aircrack-ng | head'. Version information is in the first line of text (second if the empty line is taken into account).

What is the best wireless card to buy ?

Which card to purchase is a hard question to answer. Each person's criteria is somewhat different, such as one may require 802.11n capability, or may require it to work via virtualization. However, having said that, if money is not a constraint then the following cards are considered the best in class:

Alfa AWUS036ACH (a/b/g/n/ac) is the best performing card, but the driver can be unstable enough to crash your kernel

Alfa AWUS036ACM (a/b/g/n/ac) is the highest performing of the STABLE devices, but it requires kernel 4.19.5 or higher, and the driver doesn't work on the Raspberry Pi yet

Runner ups:

Alfa AWUS036H [b/g USB]

Ubiquiti SRC [a/b/g Cardbus]

Ubiquiti SRX [a/b/g ExpressCard]

Airpcap series [USB]

TP-Link TL-WN722N v1 [b/g/n USB] - Beware, if version is not specified by vendor, it is NOT v1

Any GPS recommendation ?

"command not found" error message

After you enter “make install” then try to use any of the aircrack-ng suite commands, you get the error message “command not found” or similar. See the tip with the same message in troubleshooting tips.

How do I crack a static WEP key ?

The basic idea is to capture as much encrypted traffic as possible using airodump-ng. Each WEP data packet has an associated 3-byte Initialization Vector (IV): after a sufficient number of data packets have been collected, run aircrack-ng on the resulting capture file. aircrack-ng will then perform a set of statistical attacks developed by a talented hacker named KoreK.

Since that time, the PTW approach (Pychkine, Tews, Weinmann) has been developed. The main advantage of the PTW approach is that very few data packets are required to crack the WEP key.

How many IVs are required to crack WEP ?

WEP cracking is not an exact science. The number of required IVs depends on the WEP key length, and it also depends on your luck. Usually, 40-bit WEP (64 bit key) can be cracked with 300,000 IVs, and 104-bit WEP (128 bit key) can be cracked with 1,500,000 IVs; if you're out of luck you may need two million IVs, or more.

There is no way to know the WEP key length: this information is kept hidden and never announced, either in management or data packets; as a consequence, airodump-ng can not report the WEP key length. Thus, it is recommended to run aircrack-ng twice: when you have 250,000 IVs, start aircrack-ng with “-n 64” to crack 40-bit WEP. Then if the key is not found, restart aircrack-ng (without the -n option) to crack 104-bit WEP.

The figures above are based on using the Korek method. With the introduction of the PTW technique in aircrack-ng 0.9 and above, the number of data packets required to crack WEP is dramatically lowered. Using this technique, 40-bit WEP (64 bit key) can be cracked with as few as 20,000 data packets and 104-bit WEP (128 bit key) with 40,000 data packets. PTW is limited to 40 and 104 bit keys lengths. Keep in mind that it can take 100K packets or more even using the PTW method. Additionally, PTW only works properly with selected packet types. Aircrack-ng defaults to the PTW method and you must manually specify the Korek method in order to use it.

How can I know what is the key length ?

You can't know what's the key length, there's no information at all in wireless packets, that's why you have to try different lengths. Most of the time, it's a 128 bit key.

How do I know my WEP key is correct ?

Just because you seem to have successfully connected to the access point doesn't mean your WEP key is correct! To check your WEP key, the best way is to decrypt a capture file with the airdecap-ng program.

How can I crack a WPA-PSK network ?

You must sniff until a handshake takes place between a wireless client and the access point. To force the client to reauthenticate, you can start a deauth attack with aireplay-ng. Also, a good dictionary is required.

FYI, it's not possible to pre-compute large tables of Pairwise Master Keys like rainbowcrack does, since the passphrase is salted with the ESSID.

Where can I find good wordlists ?

The easiest way is do an Internet search for word lists and dictionaries. Also check out web sites for password cracking tools. Many times they have references to word lists. A few sources follow. Please add comments or additions to this thread: https://forum.aircrack-ng.org/index.php?topic=1373.0.

Remember that valid passwords are 8 to 63 characters in length. The Aircrack-ng Other Tips page has a script to eliminate passwords which are invalid in terms of length.

How do I recover my WEP/WPA key in windows ?

Will WPA be cracked in the future ?

It's extremely unlikely that WPA will be cracked just like WEP was.

The major problem with WEP is that the shared key is appended to the IV; the result is directly used to feed RC4. This overly simple construction is prone to a statistical attack, since the first ciphertext bytes are strongly correlated with the shared key (see Andrew Roos' paper). There are basically two counter-measures against this attack:

Mix the IV and the shared key using a hash function or

Discard the first 256 bytes of RC4's output.

There has been some disinformation in the news about the “flaws” of TKIP:

For now, TKIP is reasonably secure but it is also living on borrowed time since it still relies on the same RC4 algorithm that WEP relied on.

Actually, TKIP (WPA1) is not vulnerable: for each packet, the 48-bit IV is mixed with the 128-bit pairwise temporal key to create a 104-bit RC4 key, so there's no statistical correlation at all. Furthermore, WPA provides counter-measures against active attacks (traffic reinjection), includes a stronger message integrity code (michael), and has a very robust authentication protocol (the 4-way handshake). The only vulnerability so far is a dictionary attack, which fails if the passphrase is robust enough.

WPA2 (aka 802.11i) is exactly the same as WPA1, except that CCMP (AES in counter mode) is used instead of RC4 and HMAC-SHA1 is used instead of HMAC-MD5 for the EAPOL MIC. Bottom line, WPA2 is a bit better than WPA1, but neither are going to be cracked in the near future.

How do I learn more about WPA/WPA2?

How do I decrypt a capture file ?

What are the authentication modes for WEP ?

There are two authentication modes for WEP:

Open System Authentication: This is the default mode. All clients are accepted by the AP, and the key is never checked meaning association is always granted. However if your key is incorrect you won't be able to receive or send packets (because decryption will fail), so DHCP, ping etc. will timeout.

Shared Key Authentication: The client has to encrypt a challenge before association is granted by the AP. This mode is flawed and leads to keystream recovery, so it's never enabled by default.

Can I convert cap files to ivs files ?

Can I use Wireshark/Ethereal to capture 802.11 packets ?

Under Linux, simply setup the card in monitor mode with the airmon-ng script. Under Windows, Wireshark can capture 802.11 packets using AirPcap. Except in very rare cases, Ethereal cannot capture 802.11 packets under Windows.

Can Wireshark/Ethereal decode WEP or WPA data packets ?

Wireshark 0.99.5 and above can decrypt WPA as well. Go to Edit → Preferences → Protocols → IEEE 802.11, select “Enable decryption”, and fill in the key according to the instructions in the preferences window. You can also select “Decryption Keys…” from the wireless toolbar if it's displayed.

Many times in this forum and on the wiki we suggest using Wireshark to review packets. There are two books which are available specifically for learning how to use Wireshark in detail.

The good news is that they have made Chapter 6 of the “Wireshark & Ethereal Network Protocol Analyzer Toolkit” covering wireless packets available online in PDF format. Here is the link to Chapter 6. As well, see this section on the Wireshark Wiki.

Madwifi-ng Notes: The madwifi site has a detailed documentation page on changing the MAC address under madwifi-ng: How can I change the MAC address of my card? Starting in r2435 of the madwifi-ng driver, they changed the default way in which new VAPs get their MAC address. When creating a new VAP with wlanconfig, you must specify “-bssid” to have it use the underlying MAC address. If you don't do this, then the new VAP gets a unique MAC. This will cause problems with various aircrack-ng commands.

Troubleshooting Tip: A normal MAC address looks like this: 00:09:5B:EC:EE:F2. The first half (00:09:5B) of each MAC address is the manufacturer. The second half (EC:EE:F2) is unique to each network card. Many access points will ignore invalid MAC addresses. So make sure to use a valid wireless card manufacturer code when you make up MAC addresses. Otherwise your packets may be ignored.

Can I have multiple instance of aireplay-ng running at the same time?

How to use spaces, double quote and single quote, etc. in AP names?

You have to prefix those special characters with a “\”. This is called escaping a special character. Examples: with\'singlequote, with\“doublequote.

You also need to handle the symbol ”&“ the same way. Example: “A&B”.

You can use single quotes. Examples: 'with space', 'with”doublequote'.

As well, you can use double quotes. Examples: “with space”, “with'singlequote”.

NOTE: If you enclose the AP name in single or double quotes, then you don't also need to escape special characters within the single or double quotes.

IMPORTANT EXCEPTION: If the AP name contains “!” then special care must be taken. The reason is that the bash interpreter thinks you want to repeat a previous command. Your options are:

Use single quotes as in 'name!with!bang'.

Escape the “!” as in name\!with\!bang.

Use double quotes plus the escape as in “name\!with\!bang”

Sometimes the AP name contains leading or trailing spaces. These can be very hard to identify from the airodump-ng screen. Here are a few methods to deal with this situation:

The airodump-ng text file includes the SSID (AP name) length. So you can compare the length in the text file to the count of visible characters. If the airodump-ng text file count is greater then you know that the SSID has leading or trailing spaces.

Use wireshark to look at the beacon. Unless the SSID is hidden, the SSID is in quotes and you should be able to see leading/trailing spaces.

The 1.0rc1 version of aireplay-ng will automatically pull the correct SSID from the beacon for you assuming it is not hidden. Simply omit the SSID parameter from aireplay-ng.

What is the size of ARP packets ?

When captured through a wireless interface, 68 bytes is typical for arp packets originating from wireless clients. 86 bytes is typical for arp requests from wired clients.

On Ethernet, ARP packets when received are typically 60 bytes long. When this is then relayed by a wireless access point, they are 86 bytes. This is, of course, because of the wireless headers. If a wireless client sends an ARP, they are typically 42 bytes long and they become 68 when relayed by the AP.

Does the aircrack-ng suite support Airpcap adaptor?

I have a Prism2 card, but airodump-ng / aireplay-ng doesn't seem to work !

First, make sure you aren't using the orinoco driver. If the interface name is wlan0, then the driver is HostAP or wlan-ng. However if the interface name is eth0 or eth1, then the driver is orinoco and you must disable the driver. The easiest way to do this is to blacklist it in /etc/modprobe.d/blacklist.

Also, it can be a firmware problem. Old firmwares have trouble with test mode 0x0A (used by the HostAP / wlan-ng injection patches), so make sure yours is up to date (see Prism2 flashing for instructions). The recommended station firmware version is 1.7.4. If it doesn't work well (kismet or airodump-ng stalls after capturing a couple of packets), try STA 1.5.6 instead (either s1010506.hex for old Prism2 cards, or sf010506.hex for newer ones).

On a side note, test mode 0x0A is somewhat unstable with wlan-ng. If the card seems stuck, you will have to reset it, or use HostAP instead. Injection is currently broken on Prism2 USB devices with wlan-ng.

I have an Atheros card, and the madwifi patch crashes the kernel / aireplay-ng keeps saying enhanced RTC support isn't available

There are quite a few problems with some versions of the Linux 2.6 branch (especially before 2.6.11 was released) that will cause a kernel panic when injecting with madwifi. Also, on many 2.6 kernels enhanced RTC support is just broken. Thus, is it highly recommended to use either Linux 2.6.11.x or newer.

Why do I have bad speeds when I'm too close to the access point?

Problem: The wireless card behaves badly if the signal is too strong. If you are too close (1-2m) to the access point, you get high quality signal but actual transmission rates drop (down to 5-11Mbps or less). The net result is TCP throughput of about 600KB/s.

This is called antenna and receiver saturation. The signal coming in to the preamplifier is too strong and clips the input of the amplifier, causing signal degradation. This is a normal phenomenon with most 802.11 hardware.

So, is it a driver problem or is it my network hardware?

Neither, really. It's a physics problem. The only solution is to either decrease transmission power, use an antenna with a lower gain factor, or move the access point farther away from the station.
You should use wired ethernet when you're close to the access point. If you don't want or you don't have a wire, you can also decrease output power of your Access point or your card.

How do I download and compile aircrack-ng?

The driver won't compile

This usually happens because the linux headers don't match your current running kernel. In this situation, grab the kernel sources or just recompile a fresh kernel, install it and reboot. Then, try again compiling the driver. See this HOWTO for more details about kernel compilation.

Why do I get ioctl(SIOCGIFINDEX) failed: No such device ?

Double check that your device name is correct and that you haven't forgotten a parameter on the command line.

When using linux-wlan-ng driver, be sure to enable the interface first with airmon-ng.

Why do I get 'SIOCSIFFLAGS : No such file or directory' error message

Some drivers require a firmware to be loaded (b43, prism54, zd1211rw, …). The driver typically loads the firmware itself when started.
In this case, the driver didn't find it because the firmware was not in the right place or is missing from the computer. To find the firmware's correct location, read the driver documentation.

Why does my computer lock up when injecting packets ? Is there a solution?

Is VMware supported?

Yes, aircrack-ng suite successfully been run under VMware. One thing about doing VMware, you can't use PCMCIA or PCI cards. You can ONLY use compatible USB wireless cards. Some limited additional information is available here:

What other tips do you have?

Windows GUI Error message

Running the Windows GUI gives an error message similar to “the application failed to initialize properly (0xc0000135). Click on OK to terminate the application”. To correct this, ensure you have the Microsoft .NET framework 2.0 installed.

My network card changes it's name from eth0 to eth1

Or even to eth2 or from wlan0 to wlan1 or … You know the symptoms mean if you suffer this problem. This happens when you change your MAC and UDEV thinks it has detected a new network card. UDEV keeps track of this so that your nwc-naming keeps mixed up even after a reboot.

Open /etc/udev/rules.d/z25_persistent-net.rules in your preferred text editor (“z25_” may be something different on your system).

Search for the lines concerning your nwc and delete or just disable them by inserting a leading “#”.

Reboot and everything should be back to normal and stay there.

Note: If you update udev to a newer revision you may have to do this again.

What is the format of a valid MAC address ?

A normal MAC address looks like this: 00:09:5B:EC:EE:F2. It is composed of six octets. The first half (00:09:5B) of each MAC address is known as the Organizationally Unique Identifier (OUI). Simply put, it is the card manufacturer. The second half (EC:EE:F2) is known as the extension identifier and is unique to each network card within the specific OUI. Many access points will ignore MAC addresses with invalid OUIs. So make sure you use a valid OUI code when you make up MAC addresses. Otherwise, your packets may be ignored by the Access Point. The current list of OUIs may be found here.

Make sure that that the last bit of first octet is 0. This corresponds to unicast addresses. If it is set to 1, this indicates a group address, which is normally exclusively used by multicast traffic. MAC addresses with a source set to multicast are invalid and will be dropped.

Examples of valid OUIs: 00:1B:23, 08:14:43, AA:00:04 because 0, 8 and A are even

Examples of invalid OUIs: 01:1B:23, 03:23:32

In particular, it is recommended that the first octet is 00.

What is ARP ?

The address resolution protocol (ARP) is explained in more detail here.

Is Mac OS X supported?

The aircrack-ng suite has limited Mac OS X support. Currently it only supports the following tools: aircrack-ng, packetforge-ng, ivstools and makeivs. Any program which requires opening a wireless interface is not supported.

What is RSSI?

RSSI means Received Signal Strength Indication. RSSI is a measurement of the received radio signal strength. It is the received signal strength in a wireless environment, in arbitrary units.

What is the difference with long and short preamble?

Every packet is sent with a preamble, which is just a known pattern of bits at the beginning of the packet so that the receiver can sync up and be ready for the real data. This preamble must be sent at the basic rate (1 Mbps), according to the official standard. But there are two different kinds of preambles, short and long. The long preamble has a field size of 128 bits, while the short preamble is only 56 bits.

Will I get better range with maximum output power?

No, this is a false assumption in most situations.

In a home environment, the best output power is not always the maximum. In most situations, 30mw is enough. However, if you are a long distance from the AP, then yes, maximum output power is the best.

Do wifi amplifiers have a better range?

No, amplifiers are not a very good idea because:

Amplifiers also amplify noise and that's not a good thing for link quality

With high amplification, you could get a headache

You are much better off purchasing a good antenna with high gain.

My card says that I have 20dBm (100mW) but i only have 18dBm, why?

Most cards have 100mW when combined with the antenna (2dBi antenna).

In 802.11a and 802.11g, the output power is 30mW due to modulation (it's a bit harder to use OFDM than CCK)

Will I have better reception with stronger transmit power?

No, the transmit power is not linked with receiving at all. For receiving, you should check the receive sensitivity of your card. As well, you are much better off purchasing a good antenna with high gain.

How Do I Check What Mode My Card Is In?

How Do I Add a New USB Device ID to My Driver?

If you have a very new USB device, sometimes the device ID has not been included in the driver. The following article describes how to do this for a specific driver. The technique can be used for all USB drivers.

Why do I get "Error creating tap interface: Permission denied" or a similar message?

This is caused by SELinux (Security Enhanced Linux) preventing the interface from starting. To resolve, disable SELinux. See the support forums for your particular linux to determine how to do this.

Why airodump-ng doesn't display anything on Android terminal?

By default, in settings, stty rows and columns are set to 0. Here are the settings:

stty columns 86

stty rows 39

How much does Aircrack-ng cost?

Aircrack-ng is “free software”; you can download it without paying any license fee. The version of Aircrack-ng you download isn't a “demo” version, with limitations not present in a “full” version; it is the full version.
The license under which Aircrack-ng is issued is mostly the GNU General Public License version 2. See the GNU GPLFAQ for some more information.

You may also want to check out the OpenSSL license included in our source code download.

But I just paid someone on eBay for a copy of Aircrack-ng! Did I get ripped off?

That depends. Did they provide any sort of value-added product or service, such as installation support, installation media, training, trace file analysis, or funky-colored socks? Probably not.
Aircrack-ng is available for anyone to download, absolutely free, at any time. Paying for a copy implies that you should get something for your money.

Can I use Aircrack-ng commercially?

Yes, if, for example, you mean “I work for a commercial organization; can I use Aircrack-ng to capture and asses WiFi network security in our company's networks or in our customer's networks?”

If you mean “Can I use Aircrack-ng as part of my commercial product?”, see the next entry in the FAQ.

Can I use Aircrack-ng as part of my commercial product?

As noted, Aircrack-ng is licensed under the GNU General Public License, version 2. The GPL imposes conditions on your use of GPL'ed code in your own products; you cannot, for example, make a “derived work” from Aircrack-ng, by making modifications to it, and then sell the resulting derived work and not allow recipients to give away the resulting work. You must also make the changes you've made to the Aircrack-ng source available to all recipients of your modified version; those changes must also be licensed under the terms of the GPL. See the GPLFAQ for more details; in particular, note the answer to the question about modifying a GPLed program and selling it commercially, and the question about linking GPLed code with other code to make a proprietary program.
You can combine a GPLed program such as Aircrack-ng and a commercial program as long as they communicate “at arm's length”, as per this item in the GPLFAQ.